The result is predictable. Governance teams write blanket policies that apply the same approval process, the same review cycle, and the same restriction level to a chatbot answering HR policy questions and to an agent that can issue refunds in Stripe. The HR chatbot dies in a six-month review cycle. The refund agent ships with weak controls because nobody distinguished it from the chatbot.

Both outcomes are bad. Over-governing low-risk patterns kills adoption and makes AI teams work around the governance process. Under-governing high-risk patterns causes the incidents that make headlines.

The fix is proportional governance: match your controls to the actual risk level of each pattern, not to a generic sense of "AI is risky." That starts with understanding where each pattern sits on the risk gradient. NIST's AI Risk Management Framework recommends exactly this approach, governing, mapping, measuring, and managing AI risk in context, scaled to the specific use case and its potential consequences. If you're still getting familiar with the 10 core patterns, start with what is an AI pattern first.

What drives risk in AI patterns

Three factors determine a pattern's base risk level.

Reversibility of Execute actions. Patterns that don't include an Execute step carry the lowest risk: if the AI is wrong, nothing in the external world has changed. The human reads the output and decides whether to act. Patterns that do Execute carry risk proportional to how hard it is to undo the action. Updating a CRM field is easily reversed. Sending an email to a customer is harder to reverse (you can send a correction, but you can't un-send). Issuing a refund, placing an order, or blocking a transaction sits at the highest reversibility cost.

Gartner's 2025 AI Risk Taxonomy ranks irreversibility as the single highest risk multiplier in AI governance frameworks, ahead of data sensitivity and regulatory exposure, because irreversible errors scale faster and resist correction once the Execute loop has run at volume.

Confidence calibration of Predict outputs. Patterns that rely on Predict to drive routing or decisions carry risk proportional to how well-calibrated the model's confidence is. A lead scoring model that says "82% conversion probability" should be wrong about 18% of the time when it scores leads at 82%. If the model's calibration is off (consistently overconfident or underconfident), every downstream routing decision based on those scores degrades. Miscalibrated confidence is invisible until you audit outcomes against predictions.

Human-in-the-loop placement. Risk is lower when a human review gate sits between Generate and Execute. It's higher when Execute fires automatically based on a threshold or rule. And it's highest when Execute sits inside a loop, running multiple times per goal, where early mistakes compound through later steps. The Generate vs. Execute boundary is the critical design decision for any pattern that includes Execute.

The Risk Gradient Doctrine

AI governance should be proportional to the reversibility and autonomy of each pattern's Execute step, not uniform across all AI systems. A pattern that reads and generates (Tier 1) needs audit logging and user training, not approval gates. A pattern that executes autonomously in a loop (Tier 4) needs scope boundaries, rate limits, rollback capability, and human supervision at launch. Applying Tier 4 governance to Tier 1 patterns kills adoption without reducing risk. Applying Tier 1 governance to Tier 4 patterns is the direct cause of the AI incidents that make headlines.

Key Facts: AI Risk and Governance

80% of organizations have encountered risky or unexpected behavior from AI agents, with almost every incident tracing back to an Execute step that fired without adequate upstream validation (McKinsey, 2025)

Organizations applying uniform governance across all AI patterns spend 3x more on compliance overhead than those using tiered risk-proportional controls, while achieving lower safety outcomes (Deloitte AI Governance Report, 2025)

AI incidents resulting in measurable business harm are 4.7x more likely to involve autonomous or automated Execute patterns than read-only Generate patterns (Forrester AI Incident Analysis, 2025)

The risk spectrum: four tiers

Tier 1: Read-only, no Execute

Patterns: RAG Assistant, Generative Research, Document Review

These patterns Ingest, Analyze, Generate, and stop. Nothing in the external world changes. The output is a text artifact (an answer, a report, a set of flags) that a human reads, evaluates, and acts on. If the AI is wrong, the human catches it before anything is committed.

The RAG Assistant produces answers from a knowledge base. If it retrieves the wrong passages and generates an incorrect answer, the human asking the question reads a wrong answer. That's a problem. But it's a contained problem: one person gets bad information. They might act on it, or they might notice it's wrong and verify.

Generative Research synthesizes a report from multiple sources. If it misattributes a quote or draws an incorrect inference, the reader gets a flawed report. The risk scales with how much the reader trusts and acts on the output without verification.

Document Review flags risks in contracts or policies. If it misses a non-standard clause, the legal team might not catch it. That risk is real, but it's a risk of omission (missed flag), not commission (wrong action taken by the AI).

Base risk: Low. The key control is quality assurance, not governance gates. Train users to verify important outputs, especially for high-stakes documents in Document Review. Maintain audit logs of queries and outputs.

Tier 2: Execute with human approval

Patterns: Workflow Copilot, Meeting Intelligence, Vision Extract

These patterns include Execute, but with a human approval gate that sits between Generate and Execute in the standard implementation.

Workflow Copilot drafts an email or a CRM update. The human reviews the draft and clicks send. Execute fires only after human approval. The risk is in what happens when you remove that approval gate (which is the first thing teams do when they decide the AI is "good enough to trust"). Removing the gate turns a Tier 2 pattern into something closer to Tier 3.

Meeting Intelligence generates call summaries and CRM notes, often with a rep review step before they're pushed. In some implementations, the push to CRM is automatic. When it's automatic, a bad summary becomes a bad CRM record, which affects pipeline reporting, forecasting accuracy, and coaching quality. That's a medium-risk outcome.

Vision Extract pushes structured records to a system of record. In most implementations, a human spot-checks a sample of records before they're committed. When spot-checking is removed (often for cost reasons), extraction errors become database errors.

Base risk: Medium-low. The core governance control is maintaining the human review gate and auditing what happens when you remove it. Define the exception handling: what does the system do with records it can't confidently extract? Route to manual review, not auto-commit with low confidence.

Tier 3: Execute with rules (no per-action human approval)

Patterns: Scoring plus Routing, Anomaly Agent, Personalization Engine

These patterns Execute automatically based on thresholds, rules, or model outputs. There's no human approving each individual action. A lead scores above 80 and automatically routes to the enterprise team. A transaction scores as anomalous and automatically gets flagged or blocked. A user's behavior history triggers a personalized product recommendation. Actions happen at volume, continuously, without a human in the loop on each one.

The governance challenge: the controls are upstream (model calibration, threshold settings, exception queues) not at the point of action. If the lead scoring model is miscalibrated, 20% of your revenue pipeline is routing to the wrong team, and you won't see it until you audit outcomes. If the anomaly agent's baseline is wrong, you're either blocking legitimate customers or missing real fraud. Neither mistake is visible in real time without monitoring.

Base risk: Medium-high. Governance requirements: defined confidence thresholds with human review queues for edge cases, regular model audits comparing predictions to outcomes, rollback procedures for rule changes, and documented exception handling for items that fall below the confidence threshold. Don't set a threshold and forget it. Revisit thresholds quarterly based on outcome data.

Tier 4: Execute in loops, high autonomy

Pattern: Autonomous Agent

The Autonomous Agent uses all five capabilities in a loop, pursuing a goal across multiple steps and multiple systems. Each loop iteration can include Execute actions. A mistake in an early step (wrong Analyze, miscalibrated Predict) propagates through every subsequent Execute action in the loop. And the loop runs again, and again, until the goal is met or the agent decides it can't proceed.

This is categorically different from the other tiers. The Workflow Copilot executes once, with a human reviewing the draft. The Autonomous Agent may execute 15 times while completing a research-and-outreach task, with no human reviewing steps 2 through 14.

The scenarios that cause real damage: an agent researching prospects and sending outreach emails at scale, getting the account mapping wrong and sending inappropriate messages to the wrong company. An agent managing refund requests and issuing refunds based on a flawed matching rule. An agent booking calendar time and creating CRM tasks, running through a 300-contact list, getting the calendar integration wrong, and creating noise across the whole team's schedule. McKinsey reports that 80% of organizations have encountered risky behavior from AI agents, and the patterns above represent precisely the failure modes showing up in those incidents.

Base risk: High. Required governance: explicit scope boundaries (what systems can the agent touch, what actions can it take), rate limits on Execute actions (no more than X emails per hour, no more than $Y in refunds per day without human review), rollback capability for executed actions, and human-in-the-loop at the first production run before scaling. The rate limit is the most overlooked control: it converts a potential mass mistake into a contained, correctable one.

All 10 patterns on the gradient

Pattern	Risk Tier	Execute?	Human gate?	Primary risk
RAG Assistant	Tier 1 (Low)	No	N/A	Wrong or outdated answer
Generative Research	Tier 1 (Low)	No	N/A	Incorrect synthesis, misattributed sources
Document Review	Tier 1 (Low)	No	N/A	Missed flags (risk of omission)
Workflow Copilot	Tier 2 (Medium-low)	Yes, human-gated	Review before Execute	Gate removal; bad drafts committed
Meeting Intelligence	Tier 2 (Medium-low)	Yes, often human-gated	Review before push	Inaccurate notes in system of record
Vision Extract	Tier 2 (Medium-low)	Yes, human-gated	Spot-check before commit	Extraction errors in database
Scoring plus Routing	Tier 3 (Medium-high)	Yes, automatic	Thresholds + exception queue	Miscalibrated model routing at scale
Anomaly Agent	Tier 3 (Medium-high)	Yes, automatic	Thresholds + exception queue	Wrong baseline; false positives or missed alerts
Personalization Engine	Tier 3 (Medium-high)	Yes, automatic	Thresholds + monitoring	Discriminatory personalization; pricing exposure
Autonomous Agent	Tier 4 (High)	Yes, looped	Rate limits + initial supervision	Compounding errors across Execute steps

How domain context multiplies risk

The tier above represents base risk. Domain context is a multiplier.

A Vision Extract pattern processing business cards into a CRM is Tier 2 base risk. A wrong field (phone number off by one digit, company name misspelled) is an annoying data quality issue. Fixable.

The same Vision Extract pattern reading patient intake forms and updating a medical record system is a Tier 3 governance problem. A wrong field value (wrong medication, wrong allergy, wrong dosage) in a patient record can affect clinical decisions. Same capability formula, different domain, different risk tier.

A Scoring plus Routing pattern routing inbound sales leads is Tier 3 base risk. A miscalibrated model routes some leads to the wrong team. Revenue impact, annoying, auditable.

A Scoring plus Routing pattern applied to credit applications is a Tier 4 governance problem in regulated markets. ECOA, Fair Housing Act, and GDPR Article 22 require explainability and human review rights for AI-driven decisions that affect access to credit. Regulatory exposure converts a Tier 3 technical problem into a Tier 4 legal one.

Adjust every pattern's tier upward when: the output affects regulated decisions (credit, employment, housing, healthcare), the data involves sensitive personal information, the Execute action is financial or legally consequential, or the scale of automated action makes mistakes hard to detect before they compound. The measuring AI pattern ROI article in Learn More covers how to quantify when the risk-adjusted return justifies deployment.

Common risk underestimations by pattern

Scoring plus Routing feels safe because it "just routes things." Routing decisions at scale are revenue decisions. If your lead scoring model is wrong about which leads are high-priority, your best reps are working the wrong accounts. If your support ticket router misclassifies urgency, enterprise customers wait in the standard queue. These aren't abstract risks. They're measurable: check your rep activity distribution, your SLA breach rates, and your routing accuracy monthly.

Personalization Engine feels benign because it's just "showing relevant content." Personalized pricing (showing different prices to different users) can create legal exposure under consumer protection laws in several jurisdictions, particularly when the personalization correlates with protected characteristics. Personalized job postings that exclude certain demographic groups based on behavioral targeting have been the subject of EEOC and EU investigations. "We're just personalizing content" isn't a governance answer.

Workflow Copilot seems low-risk because a human reviews everything. Until the human stops reviewing. The review gate is the entire governance structure for this pattern. When teams decide the AI is "good enough" and remove the review step, they've just deployed an automated Execute without Tier 3 governance controls. The transition should be deliberate and documented, not a quiet process change.

Governance requirements by tier

Tier 1: Audit logs of queries and outputs. Quality review process (periodic sampling of outputs by a human reviewer). User training on verification expectations (high-stakes use cases require independent verification). No approval gates needed for standard use.

Tier 2: Maintain human review gates as explicit policy. Document which workflows have auto-commit enabled vs. review-required. Spot-check sample rates for auto-committed records. Exception routing for low-confidence outputs.

Tier 3: Model accuracy monitoring with periodic outcome audits (compare predictions to actual outcomes). Confidence thresholds with exception queues for items below the threshold. Quarterly threshold review based on outcome data. Documentation of routing rules and escalation paths. Alert on model drift.

Tier 4: Explicit scope boundaries documented and enforced at the system level (not just policy). Rate limits on Execute actions. Rollback capability for reverting executed actions. Human supervision required for the first production run. Staged rollout (start with low-stakes accounts or use cases before scaling). Incident response plan for when the agent takes a wrong action at scale.

Building your risk register

A risk register for active AI patterns doesn't need to be complex. For each pattern currently in production, document:

Pattern name and specific use case (e.g., "Scoring plus Routing for inbound lead assignment")
Risk tier (1-4)
Domain multipliers (regulated data? financial consequence? sensitive personal data?)
Owner (who is responsible for monitoring this pattern's accuracy and governance)
Review frequency (Tier 1: annual; Tier 2: quarterly; Tier 3: monthly; Tier 4: weekly until stable)
Current controls (what's actually in place)
Known gaps (what should be in place that isn't)

The register is a living document. As you add patterns, adjust domains, or change configurations, update it. The point is not perfection: it's that someone owns each pattern's risk posture and reviews it on a schedule.

Rework Analysis: The governance mistake we see most often is organizations writing one AI policy that applies uniformly to all AI systems. The policy ends up calibrated to the most dangerous pattern in production (often an autonomous agent or an automated routing system) and applied to everything. The result: low-risk RAG Assistants get blocked in six-month security reviews while the actual high-risk Autonomous Agents that are shipping have only a checkbox review. Tiered governance, matched to each pattern's actual Execute risk, costs less and controls more. The four-tier model above gives risk and compliance teams the vocabulary to write proportional rules instead of blanket ones.

Frequently Asked Questions

What is the risk gradient across AI patterns?

The risk gradient ranks AI patterns from Tier 1 (read-only, no Execute) through Tier 4 (autonomous loops with repeated Execute steps). Tier 1 patterns like RAG Assistant and Generative Research carry low risk because the AI produces text output that a human acts on. Tier 4 patterns like Autonomous Agent carry high risk because Execute fires multiple times per goal without human review, and errors compound across steps.

What makes an AI pattern high risk?

Three factors drive AI pattern risk: irreversibility of Execute actions (how hard it is to undo what the AI did), confidence calibration of Predict outputs (whether scores accurately reflect real probability), and human-in-the-loop placement (whether a human reviews outputs before Execute fires). Forrester's 2025 AI Incident Analysis found AI incidents involving Execute patterns are 4.7x more likely to cause measurable business harm than incidents involving read-only Generate patterns.

How should governance scale across AI pattern risk tiers?

Tier 1 patterns need audit logging and user training on verification expectations. Tier 2 patterns need maintained human review gates and exception routing for low-confidence outputs. Tier 3 patterns need model accuracy monitoring, confidence thresholds with exception queues, and quarterly outcome audits. Tier 4 patterns need scope boundaries, rate limits on Execute actions, rollback capability, and human supervision during initial production runs.

Why is the Workflow Copilot pattern lower risk than Scoring plus Routing?

Workflow Copilot includes an explicit human approval gate between Generate and Execute: the AI drafts, the human approves before anything is sent or committed. Scoring plus Routing executes automatically at scale based on model scores, with no per-action human review. The risk in Workflow Copilot scales with gate removal. The risk in Scoring plus Routing scales with model miscalibration, which is invisible until you audit outcomes.

What is the Risk Gradient Doctrine?

The Risk Gradient Doctrine states that AI governance must be proportional to the reversibility and autonomy of each pattern's Execute step, not uniform across all AI systems. Applying the same controls to a read-only RAG Assistant and an Autonomous Agent simultaneously over-governs low-risk systems and under-governs high-risk ones. Tiered governance matched to each pattern's actual Execute profile costs less and controls more than blanket AI policy.

Does domain context affect a pattern's risk tier?

Yes. Domain context is a multiplier on base risk. Vision Extract processing business cards is Tier 2 base risk. The same pattern updating medical records containing allergy or medication data is a Tier 4 governance problem because errors directly affect clinical decisions. Similarly, Scoring plus Routing for lead assignment is Tier 3, but the same pattern applied to credit decisions triggers regulatory obligations under ECOA and GDPR Article 22 that push it to Tier 4.

Learn more

Victor Hoang

Co-Founder & CMO, Rework

AI Patterns

The Risk Gradient Across AI Patterns